Support for GKE Workload Identities for Okteto Self-Hosted

Feature Requests
4

Hi everyone,

I’m excited to announce that GCP Workload Identity and AWS IAM Roles for Service Accounts support for Okteto Enterprise Self Hosted is now available.

You’ll need version 0.12 of our Okteto Enterprise Helm chart for this feature to work.

Check out the following examples for enabling it in GCP and AWS:

GCP Workload Identity

Follow the Okteto Enterprise GKE guide, but omit the creation of “okteto-cloud-secret”.

Bind the GCP Service Account you just created with the K8S Service Account of cert-manager and Okteto Enterprise Registry. Replace the variables below with your own information.

gcloud iam service-accounts add-iam-policy-binding \
  ${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${PROJECT_ID}.svc.id.goog[${RELEASE_NAMESPACE}/certmanager]"

gcloud iam service-accounts add-iam-policy-binding \
  ${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${PROJECT_ID}.svc.id.goog[${RELEASE_NAMESPACE}/${RELEASE_NAME}-okteto-enterprise-registry]"

Merge or set the following YAML properties with your specific configuration. Replace the variables below with your own information.

cloud:
  provider:
    gcp:
      workloadIdentity:
        enabled: true

cert-manager:
  extraArgs: [--issuer-ambient-credentials=true]
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com

registry:
  serviceAccount:
    create: true
    annotations:
      iam.gke.io/gcp-service-account: GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com

AWS

Follow the Okteto Enterprise EKS guide, but omit the creation of “okteto-cloud-secret” and the IAM user. Instead create an IAM policy with the actions specified in the guide.

Associate your AWS EKS cluster OIDC provider with your AWS IAM. Replace the variables below with your own information.

eksctl utils associate-iam-oidc-provider \
  --cluster $CLUSTER_NAME \
  --region $REGION \
  --approve

Create an AWS IAM Role for Service Account for cert-manager and Okteto Enterprise Registry. Replace the variables below with your own information.

eksctl create iamserviceaccount \
  --cluster $CLUSTER_NAME \
  --region $REGION \
  --name cert-manager \
  --namespace $RELEASE_NAMESPACE \
  --attach-policy-arn $POLICY_ARN \
  --role-name ${RELEASE_NAME}-cert-manager \
  --role-only \
  --approve

eksctl create iamserviceaccount \
  --cluster $CLUSTER_NAME \
  --region $REGION \
  --name ${RELEASE_NAME}-okteto-enterprise-registry \
  --namespace $RELEASE_NAMESPACE \
  --attach-policy-arn $POLICY_ARN \
  --role-name ${RELEASE_NAME}-okteto-enterprise-registry \
  --role-only \
  --approve

Merge or set the following YAML properties with your specific configuration. Replace the variables below with your own information.

cloud:
  provider:
    aws:
      iam:
        enabled: false

cert-manager:
  extraArgs: [--issuer-ambient-credentials=true]
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: 'arn:aws:iam::${AWS_ACCOUNT_ID}:role/${RELEASE_NAME}-cert-manager'

registry:
  serviceAccount:
    create: true
    annotations:
      eks.amazonaws.com/role-arn: 'arn:aws:iam::${AWS_ACCOUNT_ID}:role/${RELEASE_NAME}-okteto-enterprise-registry'
2 Likes